Computer System with Risk-Based Assessment and Protection Against Harmful User Activity

1. A method of protecting a computer system against potentially harmful activity of a privileged user authorized to perform sensitive computer system operations which non-privileged users of the computer system are not authorized to perform, the method comprising: deploying a risk agent in the computer system, the risk agent being communicatively coupled to a risk engine, the risk engine being operative in response to queries from the risk agent to perform rules-based risk assessments of activities identified in the queries and to provide responses conveying risk assessment results; and operating the risk agent in the computer system to: (a) identify a user as one of a privileged user and a non-privileged user, the privileged user being authorized to perform sensitive computer system operations the non-privileged user is not authorized to perform; (b) when the user is identified as the non-privileged user, refrain from performing a monitoring action that includes monitoring computer system activity of the user; (c) when the user is identified as the privileged user, then (i) perform the monitoring action to monitor computer system activity of the privileged user to detect initiation of a sensitive computer system operation, and (ii) identify the computer system operation as one of a sensitive computer system operation and a non-sensitive computer system operation, the sensitive computer system operation being either an unusual operation not normally performed by the privileged user or having special potential for causing disruption to a service provided by the computer system, the non-sensitive computer system operation normally being performed by the privileged user and lacking special potential for causing disruption to the service provided by the computer system; (d) when the computer system operation is identified as the non-sensitive computer system operation during the monitoring, then allow the computer system operation to proceed and refrain from performing an assessment to determine whether the computer system operation exceeds a predetermined criteria of riskiness; (e) when the computer system operation is identified as the sensitive computer system operation during the monitoring, then perform the assessment to determine whether the sensitive computer system operation exceeds the predetermined criteria of riskiness, and if not then (i) allow the sensitive computer system operation to proceed and (ii) refrain from performing an additional security related processing; and (f) when the sensitive computer system operation is determined to exceed the predetermined criteria of riskiness, then perform the additional security related processing by: (1) formulating and sending a query to the risk engine requesting risk assessment for the sensitive computer system operation, (2) receiving a response to the query from the risk engine, and (3) based on a risk assessment result in the response, selecting one of a set of control actions and performing the selected control action, the set of control actions including allowing the sensitive computer system operation to proceed, preventing the sensitive computer system operation from proceeding, issuing a notification that the sensitive computer operation is proceeding, and obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed.

2. A method according to claim 1 , wherein the computer system is a storage area network, the privileged user is a storage area network administrator, and the sensitive computer system operation is one of a set of predetermined administrative storage-related operations, the set including mounting or dismounting a disk drive; deleting data of the non-privileged user; writing to a file of the non-privileged user; and deleting an entire storage device.

3. A method according to claim 2 , wherein the storage-related operation is selected from the group consisting of mounting or dismounting a disk drive; deleting user data and/or an entire storage device; and writing to files stored on storage devices of the storage area network.

4. A method according to claim 1 , wherein the computer system includes an operating system and the sensitive computer system operation is a function provided by the operating system.

5. A method according to claim 4 , wherein the function provided by the operating system is selected from the group consisting of deleting user data and/or storage devices; and writing data to files included in a file system of the operating system.

6. A method according to claim 1 , wherein the computer system includes a virtual machine monitor and the sensitive computer system operation is a function provided by the virtual machine monitor.

7. A method according to claim 6 , wherein the function provided by the virtual machine monitor is selected from the group consisting of creating a virtual machine; deleting a virtual machine; and moving or copying a virtual machine.

8. A method according to claim 1 , wherein the risk agent is one of a plurality of risk agents in the computer system, each risk agent operating at a respective one of distinct operating layers of the computer system, the operating layers including at least an application layer and an operating system layer, each risk agent communicating with a respective one of distinct risk engines using respective distinct risk models each tailored for the respective operating layer.

9. A method according to claim 8 , wherein the operating layers further include a virtual machine monitor layer, and the risk agents include a risk agent operating at the virtual machine monitor layer.

10. A method according to claim 1 , wherein obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed includes (i) selecting one of set of confirmation actions including requesting further credentials from the privileged user and obtaining clearance from a separate trusted system user, and (ii) performing the selected confirmation action.

11. A computer for use in a computer system, comprising: memory; one or more processors; input/output circuitry for connecting the computer to a risk engine, the risk engine being operative in response to queries from a risk agent of the computer to perform model-based risk assessments of activities identified in the queries and to provide responses conveying risk assessment results; one or more data buses coupling the memory, processors and input/output circuitry together; and computer instructions stored in the memory and executable by the processors to cause the computer to perform a method of protecting the computer system against potentially harmful activity of a privileged user authorized to perform sensitive computer system operations which non-privileged users of the computer are not authorized to perform, the method including: (a) identifying a user as one of a privileged user and a non-privileged user, the privileged user being authorized to perform sensitive computer system operations the non-privileged user is not authorized to perform; (b) when the user is identified as the non-privileged user, refraining from performing a monitoring action that includes monitoring computer system activity of the user; (c) when the user is identified as the privileged user, then (i) performing the monitoring action to monitor computer system activity of the privileged user to detect initiation of a sensitive computer system operation, and (ii) identifying the computer system operation as one of a sensitive computer system operation and a non-sensitive computer system operation, the sensitive computer system operation being either an unusual operation not normally performed by the privileged user or having special potential for causing disruption to a service provided by the computer system, the non-sensitive computer system operation normally being performed by the privileged user and lacking special potential for causing disruption to the service provided by the computer system; (d) when the computer system operation is identified as the non-sensitive computer system operation during the monitoring, then allowing the computer system operation to proceed and refraining from performing an assessment to determine whether the computer system operation exceeds a predetermined criteria of riskiness; (e) when the computer system operation is identified as the sensitive computer system operation during the monitoring, then performing the assessment to determine whether the sensitive computer system operation exceeds the predetermined criteria of riskiness, and if not then (i) allowing the sensitive computer system operation to proceed and (ii) refraining from performing an additional security related processing; and (f) when the sensitive computer system operation is determined to exceed the predetermined criteria of riskiness, then performing the additional security related processing by: (1) formulating and sending a query to the risk engine requesting risk assessment for the sensitive computer system operation; (2) receiving a response to the query from the risk engine; and (3) based on a risk assessment result in the response, selecting one of a set of control actions and performing the selected control action, the set of control actions including allowing the sensitive computer system operation to proceed, preventing the sensitive computer system operation from proceeding, issuing a notification that the sensitive computer operation is proceeding, and obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed.

12. A computer according to claim 11 , wherein the computer system is a storage area network, the privileged user is a storage area network administrator, and the sensitive computer system operation is a one of a set of predetermined administrative storage-related operations, the set including mounting or dismounting a disk drive; deleting data of the non-privileged user; writing to a file of the non-privileged user; and deleting an entire storage device.

13. A computer according to claim 12 , wherein the storage-related operation is selected from the group consisting of mounting or dismounting a disk drive; deleting user data and/or an entire storage device; and writing to files stored on storage devices of the storage area network.

14. A computer according to claim 11 , wherein the memory further includes additional computer instructions constituting an operating system of the computer, and wherein the sensitive computer system operation is a function provided by the operating system.

15. A computer according to claim 14 , wherein the function provided by the operating system is selected from the group consisting of deleting user data and/or storage devices; and writing data to files included in a file system of the operating system.

16. A computer according to claim 11 , wherein the memory further includes additional computer instructions constituting a virtual machine monitor of the computer, and wherein the sensitive computer system operation is a function provided by the virtual machine monitor.

17. A computer according to claim 16 , wherein the function provided by the virtual machine monitor is selected from the group consisting of creating a virtual machine; deleting a virtual machine; and moving or copying a virtual machine.

18. A computer according to claim 11 , wherein the risk agent is one of a plurality of risk agents in the computer, each risk agent operating at a respective one of distinct operating layers of the computer, the operating layers including at least an application layer and an operating system layer, each risk agent communicating with a respective one of distinct risk engines using respective distinct risk models each tailored for the respective operating layer.

19. A computer according to claim 18 , wherein the operating layers further include a virtual machine monitor layer, and the risk agents include a risk agent operating at the virtual machine monitor layer.

20. A computer according to claim 11 , wherein obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed includes (i) selecting one of set of confirmation actions including requesting further credentials from the privileged user and obtaining clearance from a separate trusted system user, and (ii) performing the selected confirmation action.